BreakglassIntelligence
Back to reports

A Mongolian Diplomat Opens a ZIP About the EU. Inside: A PlugX Variant Compiled Two Days Ago That No Antivirus Has Ever Seen

Four delivery chains, three DLL sideloading triads, and a PlugX Paranoid variant with zero VirusTotal detections

PublishedApril 3, 2026
plugxmustang-pandata416mongoliadll-sideloadingzero-detectionnation-state

The filename translates from Mongolian: "Issues that may be raised by the EU." It's a ZIP file containing a Windows shortcut that looks like a document. When a Mongolian government official working on EU-Mongolia relations opens it, they see a Word document about European policy. What they don't see is the PlugX implant that just installed itself through a Canon printer driver.

Researcher @smica83 flagged the sample on MalwareBazaar with a simple note: "Looks like #PlugX." We pulled the thread and found four coordinated delivery chains, three DLL sideloading triads abusing legitimate Asian software, and a PlugX Paranoid variant with a compilation timestamp of March 31, 2026 -- two days before it appeared on MalwareBazaar, and at the time of our investigation, completely absent from VirusTotal.

Four Chains in Seven Days

Between March 26 and April 2, 2026, TA416 (also tracked as Mustang Panda, RedDelta, Bronze President) deployed four distinct delivery mechanisms targeting Mongolian diplomatic entities:

ChainDeliverySideload TargetPayload
ZIP + LNK"EU issues" Mongolian lureCanon CNMNSST.exe + CNCLID.dllPlugX Paranoid via Canon.dat
CHM + BaiduNetdiskHelp file social engineeringShellFolder.exe + ShellFolderDepend.dllPlugX via Shelter.ex
RAR + SteamGaming-themed luresteam_monitor.exe + crashhandler.dllPlugX via crashlog.dat
Standalone DLLsDirect deploymentVariousMultiple PlugX configs

Four different social engineering themes. Four different sideloading triads. All delivering PlugX variants in a one-week window. This is a coordinated campaign, not opportunistic scanning.

The Canon Triad

The primary chain -- the Mongolian EU lure -- uses Canon printer software for DLL sideloading. The legitimate CNMNSST.exe (a Canon printer status monitor) loads CNCLID.dll via its GetLangID export. The malicious DLL reads Canon.dat from the same directory, XOR-decrypts it with key 0xC6, and executes the resulting PlugX shellcode.

The persistence path -- C:\Users\Public\Canon -- mimics a legitimate Canon software installation. On a system with Canon printers installed, this directory wouldn't look suspicious to a casual investigation.

CNCLID.dll was compiled on March 31, 2026. When we checked VirusTotal during our investigation, it had zero detections. Not low detection -- zero. No engine on the platform had ever seen this binary.

Decrypting PlugX Paranoid

The encrypted payload in Canon.dat uses single-byte XOR with key 0xC6. After decryption, the payload reveals itself as a shellcode-PE hybrid -- the PE header begins at offset 7, preceded by a small shellcode stub that sets up execution.

The decrypted PlugX binary uses the "Paranoid" variant's multi-layer configuration encoding:

  • API resolution via hash tables (not import table)
  • Distinct 4-byte XOR patterns per configuration block
  • Wide-string C2 addresses embedded at known offsets

From the decrypted configuration, we extracted a partial C2 address: 143.0.3.X -- an IP range belonging to a Brazilian ISP, likely a compromised relay rather than direct operator infrastructure. The port configuration (value 25 at offset +28, type 2/TCP) suggests the C2 communicates over port 25, consistent with the SMTP covert channel technique we've observed in other Chinese APT tooling.

The Misspelled Export

One artifact links this campaign definitively to TA416: the _RigsterHook export function in ShellFolderDepend.dll. It's a misspelling of "RegisterHook" that has appeared consistently across Mustang Panda operations since at least 2024. Proofpoint documented this same typo in their March 2026 reporting on TA416's Canon persistence pattern.

Misspelled function exports are the software equivalent of a fingerprint. They persist across builds because fixing them would break the loader's import resolution. Once a builder template contains a typo, it propagates through every payload generated from that template.

Attribution

HIGH confidence TA416 / Mustang Panda (People's Republic of China, state-sponsored).

Evidence:

  • Canon CNMNSST.exe sideloading pattern (documented by Proofpoint, March 2026)
  • _RigsterHook misspelled export (persistent TA416 artifact)
  • PlugX Paranoid variant (exclusive to Chinese APT ecosystem)
  • DLL sideloading of Asian software (Canon, BaiduNetdisk, Steam) -- signature TA416 TTP
  • Mongolian diplomatic targeting aligned with PRC intelligence priorities
  • C:\Users\Public\Canon persistence path (documented TA416 pattern)

Indicators of Compromise

File Indicators

All 10 SHA256 hashes covering the four delivery chains -- LNK files, DLL loaders, encrypted payloads, and the decrypted PlugX binary -- are published in our full report and GitHub repository.

Behavioral Indicators

  • CNMNSST.exe loading CNCLID.dll from non-Canon directories
  • Canon.dat file in C:\Users\Public\Canon\
  • ShellFolder.exe loading ShellFolderDepend.dll with _RigsterHook export
  • steam_monitor.exe loading crashhandler.dll
  • XOR-decrypted PE at offset 7 (shellcode-PE hybrid)
  • Wide-string IP addresses at offset 0x34690 in decrypted payload

Detection

Six YARA rules and six Suricata signatures covering the Canon sideloading triad, PlugX Paranoid decryption pattern, and the misspelled export are available on our GitHub:

h/t @smica83 for the initial sample.

Share